Security Policy
Last updated: January 5, 2024
This Security Policy describes the measures Domain takes to protect the confidentiality, integrity, and availability of data processed through its platform at domain.info. By using our services, you acknowledge and agree to the practices described in this document.
1. Scope
This policy applies to all systems, infrastructure, applications, and data managed by Domain in connection with the delivery of its online education and workshop platform. It covers all users, including registered participants, instructors, and administrative personnel.
2. Data Protection Principles
Domain applies the following core principles when handling user data:
- Confidentiality: Access to personal and sensitive information is restricted to authorised personnel on a need-to-know basis.
- Integrity: Data is protected against unauthorised modification, corruption, or deletion through technical and procedural controls.
- Availability: Systems are maintained to ensure reliable access and minimise unplanned downtime.
- Accountability: All data handling activities are logged and attributed to identifiable system actors where technically feasible.
3. Infrastructure Security
3.1 Hosting and Network
Platform services are hosted on infrastructure maintained by reputable cloud providers that comply with recognised security standards. Network traffic is segmented and monitored. Firewalls, intrusion detection mechanisms, and access control lists are applied to all production environments.
3.2 Encryption
- All data transmitted between users and the platform is encrypted using TLS 1.2 or higher.
- Sensitive data at rest, including credentials and personal information, is encrypted using industry-standard algorithms.
- Encryption keys are managed separately from the data they protect and are rotated on a defined schedule.
3.3 System Hardening
Production servers and services are configured according to established hardening guidelines. Unnecessary services, ports, and protocols are disabled. Operating systems and software dependencies are kept up to date with security patches applied in a timely manner.
4. Access Control
4.1 Authentication
User accounts are protected by password-based authentication. Passwords are stored using one-way cryptographic hashing with salting. Users are encouraged to choose strong, unique passwords. Where available, multi-factor authentication is supported and recommended.
4.2 Authorisation
Access to data and system functions is governed by role-based access control. Users are granted the minimum level of access necessary to perform their designated tasks. Privileged access to backend systems is reviewed regularly and revoked promptly upon role change or termination.
4.3 Administrative Access
Administrative access to production systems is limited to a small number of designated personnel. All administrative sessions are logged. Remote access to internal systems requires secure, authenticated channels.
5. Application Security
5.1 Secure Development
Security considerations are integrated throughout the software development lifecycle. Code changes are reviewed before deployment. Known vulnerability classes, including those described in the OWASP Top Ten, are addressed as part of standard development practice.
5.2 Vulnerability Management
Domain conducts periodic reviews of its systems to identify and remediate security vulnerabilities. Third-party dependencies are monitored for known security issues. Critical vulnerabilities are prioritised for immediate remediation.
5.3 Security Testing
The platform undergoes periodic security assessments, including vulnerability scanning. Findings from these assessments are tracked and resolved according to their severity classification.
6. Data Handling and Storage
6.1 Data Minimisation
Domain collects only the data necessary to deliver its services. Data that is no longer required is deleted or anonymised in accordance with applicable retention schedules.
6.2 Backups
Automated backups of critical data are performed on a regular schedule. Backups are stored in encrypted form and tested periodically to verify recoverability. Backup retention periods are defined and enforced.
6.3 Third-Party Processors
Where data is processed by third-party service providers, Domain evaluates their security posture before engagement and maintains appropriate contractual safeguards. Third parties are not permitted to use user data for any purpose beyond the delivery of the contracted service.
7. Incident Response
7.1 Detection and Response
Domain maintains procedures for detecting, reporting, and responding to security incidents. Monitoring systems are in place to identify anomalous activity. Incidents are classified by severity and addressed according to defined response protocols.
7.2 Notification
In the event of a confirmed security incident that affects user data, Domain will notify affected users within a reasonable timeframe, providing information about the nature of the incident and the steps being taken to address it. Notification will be made through the contact information registered with the account or through prominent notice on the platform.
7.3 Post-Incident Review
Following any significant security incident, a post-incident review is conducted to identify root causes and improve preventive controls. Lessons learned are incorporated into ongoing security practices.
8. Physical Security
Domain relies on cloud infrastructure providers for physical security of underlying hardware. These providers maintain physical access controls, environmental protections, and surveillance appropriate to their facility classification. Domain personnel do not operate or have direct access to physical data centre equipment.
9. Employee and Contractor Obligations
All personnel with access to platform systems or user data are required to adhere to security policies and procedures. Awareness of security responsibilities is communicated as part of onboarding and reinforced periodically. Personnel are required to report suspected security incidents or vulnerabilities promptly. Access is revoked upon departure or change of role without delay.
10. User Responsibilities
Users of the platform share responsibility for maintaining security within their own accounts. Users are expected to:
- Keep login credentials confidential and not share account access with others.
- Use a strong, unique password for their Domain account.
- Log out of their account when using shared or public devices.
- Report any suspected unauthorised access to their account promptly.
- Keep the email address associated with their account current and accessible.
Domain is not liable for security incidents arising from a user's failure to maintain reasonable precautions over their own credentials or devices.
11. Responsible Disclosure
Domain welcomes reports of potential security vulnerabilities from security researchers and users. If you believe you have identified a security issue affecting our platform, please contact us at [email protected] before disclosing it publicly. We ask that you provide sufficient detail to reproduce the issue and allow reasonable time for investigation and remediation. Domain will not pursue legal action against individuals who report vulnerabilities in good faith and in accordance with this process.
12. Changes to This Policy
This Security Policy may be updated from time to time to reflect changes in our practices, technology, or applicable requirements. Material changes will be communicated through the platform or via email to registered users. Continued use of the platform following the effective date of a revised policy constitutes acceptance of the updated terms.
13. Contact
Questions or concerns regarding this Security Policy may be directed to:
- Email: [email protected]
- Phone: +1 780 454 7373
- Postal address: 156 Mary St, Orillia, ON L3V 3E3, Canada